package cn.tedu.jdbc;

import java.sql.*;
import java.util.Scanner;

public class Test3 {
    public static void main(String[] args) throws Exception {
        Scanner sc = new Scanner(System.in);
        System.out.println("请输入账号");
        String s1 = sc.nextLine();
        /**问题：当用户输入特殊值：jack‘#时，甚至不需要密码也能登录
         * 原因：#在SQL中表示注释的意思，相当于后面的条件被注释掉了
         * "select * from user where name = '" + s1 + "'and pwd = '" + s2 + "'";
         * 3.哪里出现了问题？Statement传输器不安全，低效
         * 4.解决方案？使用*/
        System.out.println("请输入密码");
        String s2 = sc.nextLine();
        Class.forName("com.mysql.cj.jdbc.Driver");
        String url = "jdbc:mysql://localhost:3307/cgb211101";
        Connection c = DriverManager.getConnection(url, "root", "root");

        //Statement s = c.createStatement();
        //String sql = "select * from user where name = '" + s1 + "'and pwd = '" + s2 + "'";
       //新的传输器,执行的sql有新的写法--sql骨架
        String sql = "select * from user where name = ? and pwd = ?";
        //获取新的传输器--安全    高效
        PreparedStatement s = c.prepareStatement(sql);
        //给sql绑定参数
        s.setString(1,s1);//给第一个问号,设置是s1的值
        s.setString(2,s2);//给第一个问号,设置是s2的值
        //执行aql语句
        ResultSet r = s.executeQuery();
        if (r.next()) {
            System.out.println("登陆成功");
        } else {
            System.out.println("登录失败");
        }

        r.close();
        s.close();
        c.close();


    }
}


